Search This Blog

Showing posts with label Facebook leaked data. Show all posts

Facebook Data Breach: API Security Risks


In the year 2018 Facebook disclosed a massive data breach due to which the company had to face a lawsuit along with allegations of not properly securing its user data. The breach directly affected the authentication tokens of nearly 30 million of its users which led to the filing of several class-action complaints in a San Francisco appeals court. In the wake of the incident, Facebook pledged to strengthen its security.

A feature, known as "View As" which was employed by developers to render user pages was exploited by hackers to get access to user tokens. The theft of these tokens is associated with the advancement of a major API security risk, it also indicates how API risks can go unnoticed for such a long time frame. The trends in digital up-gradation have further pushed the process of continuous integration and continuous delivery – CI/CD, which are closely related concepts but are sometimes used interchangeably. The main purpose of continuous delivery is to ensure that the deployment of a new code takes the least possible effort. It enables DevOps to maintain a constant flow of software updates to fasten release patterns and reduce the risks related to development.

Conventionally, developers used to work on the parts of an application– one at a time and then manually merge the codes. The process was isolated and time-consuming, it led to the duplication of code creation efforts. However, as the IT ecosystem went on embracing the new CI/CD model and effectively sped up the development process while ensuring early detection of bugs, almost all the security has been commercialized by ace infrastructure providers namely Microsoft and Amazon. The commodities offered include authorization, container protection and encryption of data. Similarly, security components of first-generation firewalls and gateways like the protection of denial-of-service (DDoS) attacks also constitute the infrastructure.

When it comes to navigating and communicating – especially through an unfamiliar space, APIs are a powerful tool with great flexibility in their framework. However, similar reasons also make APIs equally vulnerable also.

While giving insights into the major IT risk posed by APIs, Terry Ray, chief security officer for Imperva told, "APIs represent a mushrooming security risk because they expose multiple avenues for hackers to try to access a company's data."

"To close the door on security risks and protect their customers, companies need to treat APIs with the same level of protection that they provide for their business-critical web applications."

The API threat is basically rooted in its lack of visibility, Subra Kumaraswamy, the former head of product security at Apigee, an API security vendor owned by Google, while putting the risk into the perspective, told: "When you have visibility into your APIs throughout your organization, you can then put controls in place."

"You might decide that a certain API should only be exposed to in-house developers, not external, third-party ones. If you don't have visibility, you can't see who is accessing what."

While labeling the authorization and improper asset management as areas of key concern, Yalon told, “Authorization mechanisms are complex because they are not implemented in one place, but in many different components like configuration files, code, and API gateways."

“Even though this sometimes may look like simple housekeeping, having a very clear understanding of the APIs, with well-maintained inventory, and documentation (we whole-heartedly recommend Open API Specification) is very critical in the world of APIs,” he further said.

Facebook used user data to control competitors and rivals


Leaked documents from a lawsuit filed by a now-defunct startup Six4Three on Facebook shows some 700 pages revealing how Facebook leveraged user data against rivals and offered it up as a sop to friends.

NBC News reported how Facebook's executive team harnessed user data and used it as a bargaining chip to manipulate rivals. There are thousands of leaked documents to support that this was done under the supervision of the company's CEO Mark Zuckerberg.



NBC News has published an entire log of documents containing 7,000 pages including 4,000 internal communications such as emails, web chats, notes, presentations, spreadsheets on Facebook. These documents are dated between 2011 and 2015 that disclose the company's strategy of rewarding partners by giving them preferential data while denying the same to competitors.

The lawsuit that resulted in this major leak, was filed by Six4Three, a now inoperative startup which created the failed app Pikinis. The app allowed users to view pictures posted by people on Facebook and in order to work, the software required access to data on Facebook. The suit accuses Facebook of misusing and abusing data and uneven distribution of it. Other apps including Lulu, Beehive ID, and Rosa Bandet couldn't do business anymore after losing access to data.

The documents also revealed similar operations, for instance, the social network company gave extended access to user data to Amazon, as it partnered with Facebook and spent on Facebook advertising while denied data to MessageMe, a messaging app when it grew large enough to be a competition to Facebook.

Commenting on the documents, Facebook’s vice president and deputy general counsel, Paul Grewal, told NBC News, “As we’ve said many times, Six4Three — creators of the Bikinis app — cherry-picked these documents from years ago as part of a lawsuit to force Facebook to share information on friends of the app’s users.” However, no evidence has been provided by the company to support the "cherry-picked" claim.

In March, this year Zuckerberg said, that Facebook would focus more on its user's privacy as the social network's future. But for Facebook, privacy seems like a PR stunt and data more of a currency.